September Patch Aims at Windows Web Components

Microsoft on Tuesday rolled out its September security patch, which is notable for containing five "critical" security bulletins.

Expect a couple of themes with this patch. First, all of the fixes address remote code execution (RCE) risks. Second, every bulletin deals with Web components, from server connections to corrupt files distributed through e-mail.

The first critical patch is said to plug a hole in the Microsoft JScript Scripting Engine used in every supported Windows OS. The exploit can be triggered via a specially crafted corrupt file or even by clicking on an infected Web page with "malformed script," according to Microsoft. A hacker exploiting this vulnerability could set user administrative rights and could "view, change or delete" data.

The second patch touches an RCE vulnerability only in Vista and Windows Server 2008. It pertains to a single privately disclosed bug in the Wireless Local Area Network (LAN) AutoConfig Service. Client workstations and server systems without enabled wireless cards are immune to this bug, but it's a potential problem for networks with Wi-Fi access.

Potential malicious Windows Media Format files, such as corrupt audio or video files, are a consistent vector for client side attacks. These files are the focus of critical item No. 3. The patch is designed to fix vulnerabilities in Windows Media Format Runtime versions 9.0, 9.5 and 11 in every supported Windows OS.

TCP/IP Bug: A Focus for Security Pros
Fix No. 4 deals with a Transmission Control Protocol/Internet Protocol (TCP/IP) bug. The patch doesn't apply to Windows XP, but it does apply to all other OSes.

"In addition, it has maximum criticality only on Vista and Windows Server 2008, the newest generation of the OS family," said Wolfgang Kandek, chief technology officer at Qualys.

The fix deals with a rare server-side function and resolves several "privately" reported vulnerabilities, according to Microsoft. It addresses vulnerabilities in both Windows and Cisco Systems products. Microsoft says there are holes that could allow RCE exploits if malicious TCP/IP packets are sent over the network.

As a fail-safe, Microsoft recommends "firewall best practices," which include cutting hackers off at the pass by limiting exposed connection ports.

"Microsoft hasn't seen a serious bug in its TCP/IP stack in a long time, so it's pretty likely this is the exploit most people will focus on," said Andrew Storms, director of security at nCircle. "This update follows on the heels of a new zero-day 'blue screen of death' vulnerability and the combination of these two serious vulnerabilities will shake a lot of people's confidence in the integrity of Microsoft's networking stack."

The fifth and final patch in the slate describes a vulnerability in the DHTML Editing Component ActiveX control. This control found in Internet Explorer 5 and later IE versions. If a hacker gains control of this function, he could dump code that will execute when a user clicks on a corrupt Web page. The patch is rated critical on Windows 2000 and XP. It's doesn't apply to Vista and Windows Server 2008.

FTP Bug Still at Large
Fix No. 4 should be installed first, said Jason Miller, security and data team manager at Shavlik Technologies, joining a chorus of observers.

He also pointed out what wasn't in this month's slate, namely a fix for a File Transfer Protocol (FTP) service bug, which was disclosed in a security advisory last Thursday. The proof of concept for this bug is less than two weeks old, but the bug has become notable. Microsoft has now updated its advisory to reflect that the vulnerability is being used in "limited attacks."

"Administrators should look at addressing this vulnerability through workarounds provided by Microsoft until a security patch becomes available," Miller said.

Microsoft's Senior Security Program Manager Jerry Bryant said in an e-mailed statement that a patch will be released "once [such an update] has reached an appropriate level of quality for broad distribution."

All of the five patches that were released on Tuesday may require restarts.

Meanwhile, for IT pros who may want to do more housekeeping after implementing the critical fixes, there is the monthly knowledgebase article detailing nonsecurity updates via Microsoft Update, Windows Update and Windows Server Update Services.

About the Author

Jabulani Leffall is an award-winning journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others.